Logs and Reports

The Cisco Secure Access Control Server Release 4.1, hereafter referred to as ACS, produces a variety of logs. You can download many of these logs, or view them in the ACS web interface as HTML reports.

AAA-Related Logs

AAA-related logs contain information about the use of remote access services by users. Table 10-1 describes all AAA-related logs.

In the web interface, you can enable, configure, and view AAA-related logs, if you have the appropriate permissions.

Table 10-1 AAA-Related Log Descriptions

Log

Description

TACACS+ Accounting

Contains:

•User sessions stop and start times

•AAA client messages with username

•Caller line identification (CLID)

•Session duration

TACACS+ Administration

Lists configuration commands entered on a AAA client by using TACACS+ (Cisco IOS). Particularly if you use ACS to perform command authorization, we recommend that you use this log.

Note To use the TACACS+ Administration log, you must configure TACACS+ AAA clients to perform command accounting with ACS. The following line must appear in the access server or router configuration file:aaa accounting commands start-stop tacacs+

RADIUS Accounting

Contains:

•User sessions stop and start times

•AAA client messages with username

•Caller line identification information

•Session duration

You can configure ACS to include accounting for Voice-over-IP (VoIP) in the RADIUS Accounting log, in a separate VoIP accounting log, or in both places.

VoIP Accounting

Contains:

•VoIP session stop and start times

•AAA client messages with username

•CLID information

•VoIP session duration

You can configure ACS to include accounting for VoIP in this separate VoIP accounting log, in the RADIUS Accounting log, or in both places.

Failed Attempts

Lists authentication and authorization failures with an indication of the cause. For posture-validation requests, this log records the results of any posture validation that returns a posture token other than Healthy.

You can use these reports to find out who disabled the account if a given number of failed attempts has been enabled under the expiration information. This can also provide some insight into intrusion attempts and is a valuable tool for troubleshooting.

Passed Authentications

Lists successful authentication requests. This log does not depend on accounting packets from your AAA clients, so it is available; even if your AAA clients do not support RADIUS accounting or if you have disabled accounting on your AAA clients. For posture-validation requests, this log records the results of all posture-validation requests resulting in an SPT.

Logging Attributes

Information is logged as a set of logging attributes. These attributes can be:

Among the many attributes that ACS can record in its logs, a few are of special importance. The following list explains the special logging attributes that ACS provides.

•User Attributes—These logging attributes appear in the Attributes list for any log configuration page. ACS lists them by using their default names: Real Name, Description, User Field 3, User Field 4, and User Field 5. If you change the name of a user-defined attribute, the default name, rather than the new name, still appears in the Attributes list.

The values that you enter in the corresponding fields in the user account determine the content of these attributes. For more information about user attributes, see Customizing User Data, page 2-5.

•ExtDB Info—If the user is authenticated with an external user database, this attribute contains a value that the database returns. In the case of a Windows user database, this attribute contains the name of the domain that authenticated the user.

In entries in the Failed Attempts log, this attribute contains the database that last successfully authenticated the user. It does not list the database that failed the user-authentication attempt.

•Access Device—The name of the AAA client that is sending the logging data to ACS.

•Filter Information—The result of network access restrictions (NARs) applied to the user, if any. The message in this field indicates whether all applicable NARs permitted the user access, all applicable NARs denied the user access, or more specific information about which NAR denied the user access. If no NARs apply to the user, this logging attribute notes that no NARs were applied.

The Filter Information attribute is available for Passed Authentication and Failed Attempts logs.

•Device Command Set—The name of the device command set, if any, that was used to satisfy a command authorization request.

The Device Command Set attribute is available for Failed Attempts logs.

•Bypass info—Information about the MAC authentication bypass feature. The message in this field indicates whether the MAC address was found or not found.

The Bypass info attribute is available for Failed Attempts and Passed Authentications logs.

•Remote Logging Result—Whether a remote logging service successfully processes a forwarded accounting packet. This attribute is useful for determining which accounting packets, if any, a central logging service did not log. It depends on the receipt of an acknowledgment message from the remote logging service. The acknowledgment message indicates that the remote logging service properly processed the accounting packet according to its configuration. A value of Remote-logging-successful indicates that the remote logging service successfully processed the accounting packet. A value of Remote-logging-failed indicates that the remote logging service did not process the accounting packet successfully.

Note ACS cannot determine how a remote logging service is configured to process accounting packets that it forwarded. For example, if a remote logging service is configured to discard accounting packets, it discards a forwarded accounting packet and responds to ACS with an acknowledgment message. This message causes ACS to write a value of Remote-logging-successful in the Remote Logging Result attribute in the local log that records the account packet.

•Posture-Validation Logging Attributes:

–Application-Posture-Token—The application posture token (APT) that a particular policy returns during a posture-validation request. This attribute is available only in the Passed Authentications and Failed Attempts logs.

–System-Posture-Token—The system posture token (SPT) that a particular policy returns during a posture-validation request. This attribute is available only in the Passed Authentications and Failed Attempts logs.

–Other Posture-Validation Attributes—Attributes that a NAC client sends to ACS during a posture-validation request. The attributes are uniquely identified by the vendor name, application name, and attribute name. For example, the NAI:AV:DAT-Date attribute is an attribute containing information about the date of the DAT file on the NAC client for the antivirus application by Network Associates, Inc. These attributes are available only in the Passed Authentications and Failed Attempts logs.

You can choose to log posture-validation attributes in the Passed Authentications and Failed Attempts logs. All inbound attributes are available for logging. The only two outbound attributes that you can record in logs are Application-Posture-Assessment and System-Posture-Assessment.

All posture-validation requests resulting in a system posture token (SPT), also known as a system posture assessment, are logged in the Passed Authentications log. Posture-validation requests resulting in an SPT of anything other than Healthy are logged in the Failed Attempts log. For more information about posture tokens, see Posture Tokens, page 13-3.

•Authen-Failure-Code attribute for HCAP errors:

When Host Credentials Authentication Protocol (HCAP) fails, the Authen-Failure-Code attribute entry in the Failed Attempts report may display one of the following errors:

ACS Audit Logs

Audit logs contain information about the ACS system and activities and, therefore, record system-related events. These logs are useful for troubleshooting or audits. Comma-separated value (CSV) audit logs are always enabled, and you can enable or disable audit logs to other loggers. You cannot configure the audit log content.

Lists actions taken by each system administrator, such as adding users, editing groups, configuring a AAA client, or viewing reports.

User Password Changes

Lists user password changes that users initiate, regardless of which password-change mechanism was used to change the password. Thus, this log contains records of password changes that the ACS Authentication Agent, the User Changeable Password web interface, or the Telnet session made on a network device that is using TACACS+. This log does not list password changes that an administrator makes in the ACS web interface.

ACS Service Monitoring

Lists when ACS services start and stop.

Appliance Administration Audit

Lists administrator activity on the serial console, including logins, logouts, and commands executed.

You can configure ACS to log information to more than one logger. For information about configuring logs, see Configuring ACS Logs.

You can configure a critical logger for accounting logs to guarantee delivery of these logs to at least one logger. For more information, see Configuring Critical Loggers.

CSV Logger

The CSV logger records data for logging attributes in columns separated by commas (,). You can import this format into a variety of third-party applications, such as Microsoft Excel or Microsoft Access. After you import data from a CSV file into such applications, you can prepare charts or perform queries, such as determining how many hours a user was logged in to the network during a given period. For information about how to use a CSV file in a third-party application such as Microsoft Excel, see the documentation from the third-party vendor.

Tip Using a CSV file may not work well for every language or locale; for example, when imported into programs such as Word or Excel. You may need to replace the commas (,) with semicolons (;), if necessary.

You can access the CSV files on the ACS server hard drive or you can download the CSV file from the web interface.

CSV Log File Locations

By default, ACS keeps log files in directories that are unique to the log. You can configure the log file location of CSV logs. The default directories for all logs reside in sysdrive:\Program Files\CiscoSecure ACS vx.x. For the subdirectory of this location for a specific log, see Table 10-3.

Table 10-3 Default CSV Log File Locations

Log

Default Location

TACACS+ Accounting

Logs\TACACS+Accounting

CSV TACACS+ Administration

Logs\TACACS+Administration

CSV RADIUS Accounting

Logs\RADIUS Accounting

CSV VoIP Accounting

Logs\VoIP Accounting

CSV Failed Attempts

Logs\Failed Attempts

Passed Authentications

Logs\Passed Authentications

ACS Backup and Restore

Logs\Backup and Restore

RDBMS Synchronization

Logs\DbSync

RDBMS Synchronization

Logs\DBReplicate

Administration Audit

Logs\AdminAudit

User Password Changes

CSAuth\PasswordLogs

ACS Active Service Monitoring

Logs\ServiceMonitoring

CSV Log Size and Retention

For each CSV log, ACS writes a separate log file. When a log file size reaches 10 MB, ACS starts a new log file. ACS retains the seven most recent log files for each CSV log.

Syslog Logger

The ACS syslog logger supports the standard syslog format. You can send log data for any report to up to two syslog servers. You configure the syslog servers for each report individually. You can use syslog to centralize the data from multiple ACSs.

ACS syslog logging follows the standard syslog protocol (RFC 3164). Messages are sent connectionless to syslog servers by using an unsecured UDP port without data encryption.

Note The syslog protocol contains no mechanism to ensure delivery, and since the underlying transport is UDP, message delivery is not guaranteed.

Syslog Message Format

The format of the ACS syslog message content is:

<n> mmm dd hh:mm:ss XX:XX:XX:XX TAG msg_id total_seg seg# A1=V1

where:

•<n>—The Priority value of the message; it is a combination of the facility and severity of the syslog message. The Priority value is calculated according to RFC 3164, by first multiplying the facility value by 8 and then adding the severity value.

ACS syslog messages use the following facility values:

–4 (Auth)—Security and authorization messages. This value is used for all AAA-related messages (failed attempts, passed attempts, accounting, and so on).

–13 (System3)—Log audit. This value is used for all other ACS report messages.

All ACS syslog messages use a severity value of 6 (Info).

For example, if the facility value is 13 and the severity value is 6, the Priority value is 110 ((8 x 13) + 6). The Priority value appears according to the syslog server setup, and might appear as one of:

–System3.Info

–<110>

Note You cannot configure the format of the syslog facility and severity on ACS.

•mmm dd hh:mm:ss—Date and time of the message.

•XX:XX:XX:XX—IP Address of the machine generating this syslog message.

You can configure the maximum length for ACS syslog messages. We recommend a maximum message length of 1,024 bytes for messages to a standard syslog server; however, the configuration should correspond to the target server specifications.

When an ACS message, including header and data, exceeds the syslog standard length limitation or target length limitation, the message content is split into several segments:

•The message is split between attribute value pairs keeping an attribute value pair complete within the segment, if possible. Each segment ends with the comma (,) delimiter; the next segment starts with the header and then the next attribute value pair.

•All segments of the same message have the same header. The <msg_id> and <total_seg> values are shared between all segments. The <seg#> is set according to the sequence of the segments.

ODBC Logger (ACS for Windows only)

You can use Open DataBase Connectivity (ODBC) loggers to log directly in an ODBC-compliant relational database, where the logs are stored in tables, one table per log. After the data is exported to the relational database, you can use the data however you need. For more information about querying the data in your relational database, refer to the documentation from the relational database vendor.

Preparing for ODBC Logging

Before you can configure ODBC logs in ACS, you must:

1. Set up the relational database to which you want to export logging data. For more information, refer to your relational database documentation.

2. On the computer that is running ACS, set up a system data source name (DSN) for ACS to communicate with the relational database that will store your logging data.

Step 4 Select the driver to use with your new DSN, and then click Finish.

A dialog box displays fields requiring information that is specific to the selected ODBC driver.

Step 5 Type a descriptive name for the DSN in the Data Source Name box.

Step 6 Complete the other fields that are required by the selected ODBC driver. These fields may include information such as the IP address of the server on which the ODBC-compliant relational database runs.

Step 7 Click OK.

Step 8 Close the ODBC window and Windows Control Panel.

The System DSN that ACS uses for communicating with the relational database is created on the computer running ACS. The name you assigned to the DSN appears in the Data Source list on each ODBC log configuration page.

Remote Logging for ACS for Windows

You can use Remote Loggers to centralize AAA-related and audit logs that multiple ACSs generate. You can configure each ACS to point to one or more ACSs to use as a remote logging server. The remote logging ACS still performs AAA functions, but it also is the repository for the logs that it receives.

The Remote Logging feature enables ACS to send data directly to the CSLog service on the remote logging server, where the data is written to the logs. The remote logging server generates the logs in the formats that it is configured to use regardless of the local logging configuration on the ACSs that are sending the data.

Note The Remote Logging feature does not affect the forwarding of data for proxied authentication requests. ACS only applies Remote Logging settings to data for sessions that the proxy authenticates when data for sessions that the proxy authenticates is logged locally. For more information about proxied authentication requests and data for sessions that the proxy authenticates, see Configuring Proxy Distribution Tables, page 3-27.

Remote Logging for ACS SE with ACS Remote Agents

The Remote Logging feature enables ACS to send data to one or more ACS Remote Agents. The remote agent runs on a computer on your network. It writes the data that ACS sends to it into CSV files. You can configure many ACS Solution Engines to point to a single remote agent, thus making the computer that runs the remote agent a central logging server.

For more information about installing and configuring an ACS Remote Agent, see Installation and Configuration Guide for Cisco Secure ACS Remote Agents Release 4.1.

Note The Remote Logging feature does not affect the forwarding of data for proxied authentication requests. ACS only applies Remote Logging settings to data for sessions authenticated by proxy when accounting data for sessions authenticated by proxy is logged locally. For more information about proxied authentication requests and data for sessions authenticated by proxy, see Configuring Proxy Distribution Tables, page 3-27.

Regardless of how many ACS Solution Engines send their accounting data to the remote agent server, the remote agent receives its configuration from a single ACS Solution Engine. That ACS is the configuration provider for the remote agent. You determine:

Lists all users receiving services for a single AAA client or all AAA clients. You can delete logged-in users from specific AAA clients or from all AAA clients.

Users accessing the network with Cisco Aironet equipment appear on the list for the access point that they are currently associated with, provided that the firmware image on the Cisco Aironet Access Point supports sending the RADIUS Service-Type attribute for rekey authentications.

On a computer configured to perform machine authentication, machine authentication occurs when the computer starts. When a computer is started and before a user logs in on that computer, the computer appears on the Logged-In Users List in the Reports and Activity section of the ACS web interface. Once user authentication begins, the computer no longer appears on the Logged-In Users List. For more information about machine authentication, see EAP and Windows Authentication, page 12-10.

Note To use the logged-in user list feature, you must configure AAA clients to perform authentication and accounting by using the same protocol—TACACS+ or RADIUS.

Lists information about resource utilization on the ACS Solution Engine. Also displays information about the IP configuration for the ACS Solution Engine and the MAC address of its network interface card.

Entitlement Reports

These reports provide information about administrator privileges and user mappings to groups. All these reports can be downloaded as text files in CSV format. You can display the reports for individual administrators in the ACS web interface. Entitlement reports are always enabled and require no configuration.

The user entitlement report provides mappings of users to group. This report lists all users with their group, Network Access Profile (NAP) if relevant, and the mapping type (static or dynamic). You can download this report in CSV format; however, you cannot display it in the ACS web interface because of its potential size.

Administrator Entitlements

The two types of Administrator Entitlement Reports are:

•Privilege report for all administrators—Lists the privileges of each administrator. You can download this report in CSV format; however, you cannot display it in the ACS web interface because of its potential size.

•Privilege reports for individual administrators—Lists privileges for the selected administrator. You can display reports for individual administrators in the ACS web interface, and you can download them as text files in CSV format.

Service Logs

Service logs are considered diagnostic logs, which you use for troubleshooting or debugging purposes only. These logs are not intended for general use by ACS administrators; instead, they are mainly sources of information for Cisco support personnel. Service logs contain a record of all ACS service actions and activities. When service logging is enabled, each service generates a log whenever the service is running, regardless of whether you are using the service. For example, RADIUS service logs are created even if you are not using the RADIUS protocol in your network. For more information about ACS services, see Chapter 1, "Overview."

Service log files reside in the \Logs subdirectory of the applicable service directory. For example, the following is the default directory for the ACS authentication service:

c:\Program Files\CiscoSecure ACS vx.x\CSAuth\Logs

Services Logged

ACS generates logs for the following services:

•CSAdmin

•CSAuth

•CSDBSync

•CSLog

•CSMon

•CSRadius

•CSTacacs

The most recent debug log is named:

SERVICE.log

where SERVICE is the name that represents the applicable service, for example auth represents the CSAuth service.

Older debug logs are named with the year, month, and date on which they were created. For example, a file that was created on July 13, 1999, would be named:

Configuring ACS Logs

You can enable and configure logging for individual logs. ACS can log information to multiple loggers simultaneously.

The starting point for enabling and configuring service logs is the Service Control page, which you access by choosing System Configuration > Service Control. The starting point for enabling and configuring all other logs and loggers is the Logging Configuration page, which you access by choosing System Configuration > Logging. The Logging Configuration page also displays which ACS logs are currently enabled.

Configuring Critical Loggers

You can configure a critical logger for accounting logs to guarantee delivery of these logs to at least one logger.

When you configure a critical logger, the reply that ACS sends to an authenticating device depends on the success or failure of logging the relevant message to the critical logger only. ACS sends the message to other loggers off-stream, (best effort but not guaranteed), which does not affect the authentication result. (For all other AAA-related reports, such as failed attempts, passed authentications and TACACS+ administration, logging is done off-stream, and does not affect the authentication attempt result.)

You can configure a different critical logger for each accounting report; the default critical logger for each report is the local CSV log. If you do not select a critical logger, delivery of accounting messages is not guaranteed.

Note We do not recommend that you configure a syslog logger as a critical logger; because, according to syslog standards, syslog message logging is not guaranteed.

A SQL create table statement for Microsoft SQL Server appears in the right panel of the ACS window. The table name is the name that is specified in the Table Name field. The column names are the attributes that are specified in the Logged Attributes list.

Note The generated SQL is valid for Microsoft SQL Server only. If you are using another relational database, refer to your relational database documentation for information about writing a command to create a table.

Step 3 Using the information provided in the generated SQL, create a table in your relational database for this ODBC log. For ODBC logging to work, the table name and the column names must exactly match the names in the generated SQL.

When you enable the log, ACS begins sending logging data to the relational database table that you created by using the system DSN that you configured.

Configuring and Enabling Remote Logging (ACS for Windows only)

You can configure remote logging for AAA-related logs and audit logs. You must first configure the remote logging server, and then configure remote logging on each ACS that will send information to the remote logging server.

Configuring the Remote Logging Server

Before You Begin

•On a computer that you want to use as a remote logging server to store all logging data, install ACS. For information about installing ACS, see the Installation Guide for Cisco Secure ACS for Windows, Release 4.1.

•Ensure that gateway devices between the ACSs that are sending data and the remote logging ACS server permit the remote logging ACS server to receive data on TCP port 2001.

To configure the remote logging server:

Step 1 Configure and enable the individual logs as needed. All data that is sent to the remote logging server will be recorded in the way that you configure logs on this ACS. For information about:

Note You can configure Remote Logging on the remote logging server so that it will send all data to another remote logging server. However, you must use this option with caution; otherwise, you might create an endless logging loop.

Step 2 To the AAA Servers table, add each ACS from which the remote logging server will receive logging data. For more information, see Configuring AAA Servers, page 3-14.

Note If the remote logging server logs watchdog and update packets for an ACS, you must check the Log Update/Watchdog Packets from this remote AAA Server check box for that ACS in the AAA Servers table.

If you want to implement remote logging on other remote logging servers for use as secondary servers or as mirrored logging servers, repeat this procedure for each additional remote logging server.

Configuring ACS to Send Data to a Remote Logger

Note Before configuring the Remote Logging feature on each ACS server that will send data to the remote logging server, ensure that you have configured your remote logging ACS server. For more information, see Configuring the Remote Logging Server.

On each ACS that will send data to the remote logging server:

Step 1 Add the remote logging server to the AAA Servers table. For more information, see Configuring AAA Servers, page 3-14. If you have created multiple remote logging servers, repeat this step for each remote logging server.

Step 2 In the navigation bar, click System Configuration.

Step 3 Click Logging.

The Logging Configuration page appears.

Step 4 Click Remote Logging Servers Configuration.

The Remote Logging Setup page appears.

Step 5 Set the applicable Remote Logging Services Configuration options. For information about these options, see Remote Logging Setup Page.

Step 6 Click Submit.

ACS saves and implements the remote logging configuration that you specified.

You can set up remote logging to another remote agent, for use as a secondary server or as a mirror server by repeating these steps.

Configuring ACS SE to Send Data to the Remote Agent

You configure each local ACS SE to send data to the remote agent. Local configuration of remote logging does not affect the types of logs sent to remote agents or the configuration of the data included in logs sent to remote agents. For information about configuring which logs are sent to remote agents and the data the logs contain, see Configuring Remote Agent Logs on the Configuration Provider.

Before You Begin

Install and configure the remote agent before configuring the Remote Logging feature on each ACS SE that will send data to the remote agent.

Providing Service Logs for Customer Support

To provide customer support with enough data to research potential issues, set the Level of Detail to Full in the Services Log File Configuration page. See Service Control Page Reference for more details. Ensure that you have sufficient disk space to handle your log entries.

If a problem exists on your ACS, customer support will ask you to create a package.cab file. The package.cab file contains various files including:

•Certificate files—The ACS server certificate, as well as the certificate's CA.

Check the Dr. Watson settings to be sure the Dump Symbol Table and Dump All Thread Contents options are selected in addition to the default options.

Step 2 Go to the bin subdirectory in the directory in which ACS was installed.

Step 3 Type CSSupport.exe.

Run the executable with all default options. The program will collect all the necessary information including Dr. Watson logs and place them in a file called package.cab. The location of the file appears when the executable is finished.

The Support feature in the System Configuration section of the ACS web interface includes service logs in the package.cab file that it generates if you click Run Support Now. For information about this feature, see Support Page (ACS Solution Engine Only), page 7-23.

Note When creating a package.cab file that is larger than 2GB, additional .cab files are created due to the size limit of the packer. The first package name is package.cab, the second is package1.cab, and so on, until the N package, packageN.cab, where N is the number of packages minus one. The files are saved in the same location that is specified before the packing begins. These files are not standalone and all of them must be sent to package. Problems with the packed file (package.cab) may arise if there is not enough hard-disk space.

Viewing and Downloading Reports

The starting point for viewing and downloading reports is the Reports page, which you access from Reports and Activity in the navigation bar. See Reports Page Reference for a list of all the reports that can be accessed from this page.

Note The RDBMS Synchronization report and the Database Replication report are available only if those options are enabled in Interface Configuration > Advanced Options.

These topics describe how to view reports in the ACS web interface, and how to download reports:

Viewing and Downloading CSV Reports

CSV Log File Names

When you access a report in Reports and Activity, ACS lists the CSV files in chronological order, with the current CSV file at the top of the list. The current file is named log.csv, where log is the name of the log.

Older files are named as:

logyyyy-mm-dd.csv

where:

log is the name of the log.

yyyy is the year that the CSV file was started.

mm is the month that the CSV file was started, in numeric characters.

dd is the date that the CSV file was started.

For example, a Database Replication log file that was generated on October 13, 2002, would be named Database Replication 2002-10-13.csv.

Viewing a CSV Report

You can view the contents of CSV reports in the ACS web interface. You can sort the table by entries in the column, and you can filter CSV log reports.

Filtering criteria includes a regular expression, a time range, or both:

•Regular expression-based filtering checks that at least one of each column's value, per row, matches the provided regular expression. When you use regular-expression filtering, ACS traverses each column and displays only the rows that match the filtering criteria.

•You can use time-based filtering by specifying values for a Start Date & Time and an End Date & Time. Rows dated within the specified time range appear.

When you enter a regular expression and use time-based filtering as well, the report will include only the rows that match both criteria.

To view a CSV report:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click the name of the CSV report that you want to view.

On the right side of the browser, ACS lists the current CSV report filename and the filenames of any old CSV report files.

Step 3 Click the CSV report filename whose contents you want to view.

If the CSV report file contains information, the information appears in the display area.

Step 4 To check for newer information in the current CSV report, click Refresh.

Step 5 Use the Next and Previous buttons to navigate forward and backward through the report pages.

Step 6 To sort the table by entries in the column, in ascending or descending order. Click a column title once to sort the table by that column's entries in ascending order. Click the column a second time to sort the table by that column's entries in descending order.

Step 7 To specify filtering criteria and apply the filter to the log file's content:

a. In the Regular Expression text box enter a string value. The expression can be up to 100 characters long. See Table 10-6 for Regular Expression characters and their syntax definitions.

b. In the Start Date & Time and End Date & Time text boxes, enter string values. The date and time format is dd/mm/yyyy,hh:mm:ss or mm/dd/yyyy,hh:mm:ss as defined in the ACS system configuration for the date format.

c. In the Rows per Page box choose the number of rows to display per page. (The default is 50.)

d. Click Apply Filter. The ACS web server will apply the specified filtering criteria to the report file and display the filtered results in the report's table.

e. Click Clear Filter to reset filtering parameters to their default values. Use this option to display the entire report unfiltered.

Table 10-6 Regular Expression Syntax Definitions

Character

Regular Expression Use

^

A caret (^) matches to the beginning of the string. Referred to as "begins with." For example, ^A will match ABc, A123, but not 1A234. See the last table entry for another caret usage.

$

The dollar sign ($) matches the end of the string. Referred to as "ends with."For example, yz$ will match strings ending with xyz, 0123yz, but not 12yzA.

\

The backslash (\) matches a given string at any location. Referred to as "contains."A backslash is also used for expressing 'special characters' in a given regular expression (For example, \+ will match against the plus sign (+), to differentiate from the plus sign (+) usage in regular expressions.

.

The dot (.) matches any character.

*

The asterisk (*) indicates that the character to the left of the asterisk in the expression should match for any number of instances (that is, 0 or more times).

+

The plus sign (+) is similar to the asterisk (*) but at least one match of the character should appear to the left of the plus sign (+) in the expression.

?

The question mark (?) matches the expression or character to its left 0 or 1 times.

|

The pipe (|) allows the expression on either side of it to match the target string.For example, A|a matches against A as well as a.

-

The hyphen (-) indicates a range of values. For example, a-z.

()

The parentheses are used for grouping of expressions and affect the order of pattern evaluation.

[]

Brackets ([ ]) enclosing a set of characters indicate that any of the enclosed characters may match the target character. Values in brackets can be one or more characters, or ranges. For example, [02468], [0-9].

[^

When a caret (^) immediately follows a left bracket ([), it excludes the remaining characters within brackets from matching the target string. For example, [^0-9] indicates that the target character is alpha rather than numeric.

Downloading a CSV Report

You can download the CSV file for any CSV report that you view in ACS.

After downloading a CSV log file, you can import it into spreadsheets by using most popular spreadsheet application software. Refer to your spreadsheet software documentation for instructions. You can also use a third-party reporting tool to manage report data. For example, aaa-reports! by Extraxi supports ACS.

To download a CSV report:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click the name of the required CSV report.

On the right side of the browser, ACS lists the current CSV report filename and the filenames of any old CSV report files.

Step 3 Click the CSV report filename that you want to download.

If the CSV report file contains information, the information appears in the display area in the right pane.

Step 4 In the right pane of the browser, click Download.

The browser displays a dialog box for accepting and saving the CSV file.

Step 5 Choose a location where you want to save the CSV file, and click Save to save the file.

Viewing the Logged-in Users Report

Note The Logged-In Users report might take up to 20 seconds to open. Specific user information might take up to several minutes to appear.

You can view the Logged-in Users report in the ACS web interface.

Note This list of users is cleared and restarted anytime ACS services are restarted. This list contains the names of users who logged in since the last time ACS was started; unless the list has been purged manually.

From this report, you can instruct ACS to delete users who are logged in to a specific AAA client. When a user session terminates without a AAA client sending an accounting stop packet to ACS, the Logged-in Users Report continues to show the user. Deleting logged-in users from a AAA client ends the accounting for those user sessions.

Note Deleting logged-in users terminates only the ACS accounting record of users who are logged in to a particular AAA client. It does not terminate active user sessions, nor does it affect user records.

To view the Logged-in Users report:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Logged-in Users.

The Select a AAA Client page displays the name of each AAA client, its IP address, and the number of users who are logged in through the AAA client. At the bottom of the table, the All AAA Clients entry shows the total number of users who are logged in.

Step 3 To see a list of all users who are logged in, click All AAA Clients.

Step 4 To see a list of users who are logged in through a particular AAA client, click the name of the AAA client.

For each list of users, ACS displays tabular information on all users who are logged in, including:

•Date and Time

•User

•Group

•Assigned IP

•Port

•Source AAA Client

Tip To print this list, click anywhere in the right window and print the window from your browser.

Step 5 To sort the table by any column's entries, in ascending or descending order. Click a column title once to sort the table by the entries in that column in ascending order. Click the column a second time to sort the table by the entries in that column in descending order.

Step 6 To purge users who are logged in through a particular AAA client:

a. Click the name of the AAA client.

ACS displays a table of all users who are logged in through the AAA client. The Purge Logged in Users button appears below the table.

b. Click Purge Logged in Users.

ACS displays a message, which shows the number of users who are purged from the report and the IP address of the AAA client.

Viewing the Disabled Accounts Report

To view the Disabled Accounts report:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Disabled Accounts.

The Select a user account to edit page displays disabled user accounts, the account status, and the group to which the user account is assigned.

Tip To print this list, click anywhere in the right window and print the window from your browser.

Step 3 To edit a user account listed, in the User column, click the username.

Viewing the Appliance Status Report

Tip To print this list, click anywhere in the right window and print the window from your browser.

Viewing and Downloading Entitlement Reports

You can download the CSV User Entitlement report file of mappings of users to groups. You can download a report of all administrators and their privileges as well as reports or privileges for each individual administrator. You can also view the reports for individual administrators in the ACS web interface.

To view and download entitlement reports:

Step 1 In the navigation bar, click Reports and Activity.

Step 2 Click Entitlement Reports.

The Entitlement Reports page appears.

Step 3 To download the User Entitlement report:

a. Click Download report for mappings of users to groups.

The browser displays a dialog box for accepting and saving the CSV file.

b. Choose a location where you want to save the CSV file, and click Save.

Step 4 To download the privilege report for all administrators:

a. Click Download Privilege Report for All Administrators.

The browser displays a dialog box for accepting and saving the CSV file.

b. Choose a location where you want to save the CSV file, and click Save.

Step 5 To view and download the privilege report for an individual administrator:

a. Click Privilege Report for Admin, where Admin is the name of the administrator account.

The report appears in the right pane of the browser.

Tip To print this list, click anywhere in the right pane and print the window from your browser.

b. To download the CSV log file, click Download in the right pane of the browser.

The browser displays a dialog box for accepting and saving the CSV file.

c. Choose a location where you want to save the CSV file, and click Save.

Update Packets in Accounting Logs

Whenever you configure ACS to record accounting data for user sessions, ACS records start and stop packets. If you want, you can configure ACS to record update packets, too. In addition to providing interim accounting information during a user session, update packets drive password-expiry messages via the ACS Authentication Agent. In this use, the update packets are called watchdog packets.

Note To record update packets in ACS accounting logs, you must configure your AAA clients to send the update packets. For more information about configuring your AAA client to send update packets, refer to the documentation for your AAA clients.

•Logging Update Packets Locally—To log update packets according to the local ACS logging configuration, enable the Log Update/Watchdog Packets from this Access Server option for each AAA client in Network Configuration.

Remote Agents Reports Configuration Page (ACS SE only)

Use the Remote Agent Reports Configuration page on the ACS SE that the remote agent is configured to use as its configuration provider, to configure log content and log file management for all logs recorded on the remote agent.

To open this page, choose System Configuration > Logging. In the Logging Configuration Page, click the Remote Agent Reports Configuration link.

Table 10-10 Logging Configuration Page

Option

Description

Remote Logging Reports table

Displays which logs are enabled for the remote agent. The Configure links open the individual configuration page for each log.

CSV log File Configuration Page

Use the CSV log File Configuration page to enable logging to an individual local or remote CSV logger, and configure the content and file management of that log.

To open this page, choose System Configuration > Logging. In the Reports Configurations tables, click Configure for a log in the CSV column.

For an ACS SE configuration provider, to enable remote logging to a remote agent, click Remote Agent Reports Configuration, then click Configure for a log.

Note For ACS SE, there are no configurable options for local CSV Audit logs.

Table 10-11 CSV log File Configuration Page

Option

Description

Enable Logging

Contains the option to enable or disable the log.

Log to CSV log report check box

Enables or disables logging to the selected logger.

Note This check box is grayed out for CSV Audit logs, which are always enabled.

Configure Log Content

(AAA-related reports only)

Contains the options to specify which attributes will be logged.

Select Columns to Log

The Attribute list contain attributes that have not been selected for logging. The Logged Attributes list contains attributes that have been selected for logging.

The right (->) and left (<-) arrow buttons add and remove attributes to and from the Logged Attributes list.

The Up and down buttons order the attributes in the Logged Attributes list.

Reset Columns button

Sets the attributes in the Logged Attributes list back to the default selections.

Log File Management

(ACS for Windows and Remote Agent Reports configuration only)

Contains log file management options.

Generate New File

Specifies when ACS or the remote agent should generate a new CSV file:

•Every day—At 12:01 A.M. local time every day.

•Every week—At 12:01 A.M. local time every Sunday.

•Every month—At 12:01 A.M. on the first day of every month.

•When size is greater than x KB—When the current file reaches the size, which you enter in kilobytes, in the X box.

Directory

The directory to which ACS or the remote agent writes the CSV log file. We recommend that you specify the full path including drive letter, otherwise the file location will be relative to the installation directory. If the remote agent server uses Sun Solaris, the path must begin at the root directory, such as /usr/data/acs-logs.

Manage Directory

Manages which CSV files are retained.

Keep only the last X files

Limits the number of CSV files that are retained. Enter the maximum number of files you want to retain in the X box.

Delete files older than X days

Limits the age of the CSV files that are retained. Enter the number of days to retain a CSV file before deleting it.

Syslog log Configuration Page

Use the Syslog log File Configuration page to enable logging to up to two syslog loggers, and configure the content of those logs.

To open this page, choose System Configuration > Logging. In the Reports Configurations tables, click Configure for a log in the Syslog column.

Table 10-12 Syslog log File Configuration Page

Option

Description

Enable Logging

Contains the option to enable or disable the log.

Log to syslog log report check box

Enables or disables logging to the selected logger. The default is disabled.

Configure Log Content

(AAA-related reports only)

Contains the options to specify which attributes will be logged.

Select Columns to Log

The Attribute list contain attributes that have not been selected for logging. The Logged Attributes list contains attributes that have been selected for logging.

The right (->) and left (<-) arrow buttons add and remove attributes to and from the Logged Attributes list.

The Up and down buttons order the attributes in the Logged Attributes list.

Reset Columns button

Sets the attributes in the Logged Attributes list back to the default selections.

Syslog Servers

Contains options to configure up to two syslog logging servers.

IP

Specifies the IP addresses of the syslog servers.

Port

Specifies the ports of the syslog servers to which log messages will be sent.

Max message length (bytes)

Specifies the maximum message length of syslog messages, in bytes. The default length, which is the recommended length for a standard syslog server, is 1024 bytes. If the syslog is used as a proxy you can reduce the message length to allow some room for the proxy headers.

ODBC log Configuration Page (ACS for Windows only)

Use the ODBC log Configuration page to enable logging to an individual ODBC logger, and configure the content and connection settings for ACS to the ODBC database.

To open this page, choose System Configuration > Logging. In the Reports Configurations tables, click the icon by the name of a log in the ODBC column.

Table 10-13 ODBC log Configuration Page

Option

Description

Enable Logging

Contains the option to enable or disable the log.

Log to ODBC log report check box

Enables or disables logging to the selected logger. The default is disabled.

Configure Log Content

(AAA-related reports only)

Contains the options to specify which attributes will be logged.

Select Columns to Log

The Attribute list contain attributes that have not been selected for logging. The Logged Attributes list contains attributes that have been selected for logging.

The right (->) and left (<-) arrow buttons add and remove attributes to and from the Logged Attributes list.

The Up and down buttons order the attributes in the Logged Attributes list.

Reset Columns button

Sets the attributes in the Logged Attributes list back to the default selections,

ODBC Connection Settings

Contains options for ACS to communicate with the ODBC database.

Data Source list

The system DSN that you created to allow ACS to send ODBC logging data to your relational database.

Username

The username of a user account in your relational database (up to 80 characters).

Note The user must have sufficient privileges in the relational database to write the ODBC logging data to the appropriate table.

Password

The password (up to 80 characters) for the specified relational database user account

Table Name

The name (up to 80 characters) of the table to which you want ODBC logging data appended.

Create Table Statement

Contains the option to display a SQL create table statement.

Show Create Table button

Displays a SQL create table statement for Microsoft SQL Server. The statement appears in the right panel of the ACS window.

The table name is the name that is specified in the Table Name field. The column names are the attributes that are specified in the Logged Attributes list.

Note The generated SQL is valid for Microsoft SQL Server only. If you are using another relational database, refer to your relational database documentation for information about writing a command to create a table.

Service Control Page Reference

Use the Services Log File Configuration page to enable or disable logging of services logs, and configure the detail and file management of that log.

To open this page, choose System Configuration > Service Control.

You must click the Restart button for these options to take effect.

Table 10-14 Services Log File Configuration Page

Option

Description

Cisco Secure ACS on <server>

Displays whether ACS services are running or stopped.

Services Log File Configuration

Contains options to enable, disable, and configure logging of services.

Level of Detail

Disables logging, or sets the level of logging:

•None—No log file is generated.

•Low—Only start and stop actions are logged. This is the default setting.

•Full—All services actions are logged. Use this option when collecting data for customer support. This option provides customer support with enough data to research potential issues. Ensure that you have sufficient disk space to handle your log entries.

Log File Management

(ACS for Windows only)

Contains log file management options.

Generate New File

Select when ACS or the remote agent should generate a new CSV file:

•Every day—At 12:01 A.M. local time every day.

•Every week—At 12:01 A.M. local time every Sunday.

•Every month—At 12:01 A.M. on the first day of every month.

•When size is greater than x KB—When the current file reaches the size, that you enter, in kilobytes, in the X box.

Manage Directory

Check to manage which CSV files are retained.

Keep only the last X files

Select to limit the number of CSV files that are retained. Enter the maximum number of files to retain in the X box.

Delete files older than X days

Select to limit the age of the CSV files that are retained. Enter the number of days to retain a CSV file before deleting it.

Reports Page Reference

Displays TACACS+ accounting reports, which contain a record of all successful authentications for the applicable item during the period that the report covers.

TACACS+ Administration Reports

Displays TACACS+ Administration reports, which contain all TACACS+ commands requested during the period that the report covers. This information is typically used when you use ACS to manage access to routers.

RADIUS Accounting Report

Displays RADIUS accounting reports, which contain a record of all successful authentications for the applicable item during the period that the report covers.

VoIP Accounting Reports

Displays VoIP accounting reports, which contain a record of all successful authentications for the applicable item during the period that the report covers.

Passed Authentications

Displays Passed Authentications reports, which list successful authentications during the period that the report covers.

Failed Attempts

Displays the Failed Attempts reports, which contain a record of all unsuccessful authentications during the period that the report covers for TACACS+ and RADIUS. The reports capture the username attempted, time and date, and cause of failure.

Logged-in Users

Displays all users currently logged in, grouped by AAA client. You can delete logged-in users from specific AAA clients or from all AAA clients.

Disabled Accounts

Displays accounts that have been disabled.

ACS Backup and Restore

Displays ACS Backup and Restore reports, which list dates and times that the ACS system information was backed up and restored and whether the action was successful.

RDBMS Synchronization

Displays RDBMS Synchronization reports, which contain the times the RDBMS database was synchronized and whether synchronization was manual or scheduled.

This report is available only if you enable this option in the Interface Configuration > Advanced Options page.

Database Replication

Displays Database Replication reports, which contain the times the ACS Internal Database was replicated to the backup server and whether replication was manual or scheduled.

This report is available only if you enable this option in the Interface Configuration > Advanced Options page.

Administration Audit

Displays Administration Audit reports, which contain a list of the administrators who accessed ACS on the applicable date, the actions they made or attempted to make, and the time of the action. Examples of actions logged include starting and stopping the administration session, editing user and group data, and changing the network configuration.

Displays ACS Service Monitoring reports, which contain a log of the events that ACS encounters when it attempts to monitor services, such as CSAdmin. This information includes events for the Active Service Monitor, CSMon, which is a service.

Entitlement Reports

Lists the available user and administrator entitlement reports. The user entitlement report lists all users with their group, Network Access Profile (NAP) if relevant, and the mapping type (static or dynamic). the administrator entitlement reports lists privileges of administrators.

Appliance Status Page (ACS SE only)

Displays current statistics about hardware resource usage with information about the IP network configuration and network interface card of the ACS appliance.

Appliance Administration Audit (ACS SE only)

Displays Appliance Administration Audit reports, which contain a list of activity on the serial console of the ACS appliance. It records when the appliance administrator account is used to log in, the commands issued during the serial console session, and when the administrator logs out, ending the session.